9fans - fans of the OS Plan 9 from Bell Labs
 help / color / mirror / Atom feed
* [9fans] panic: D2B called on non-block 8067a168 (double-free?)
@ 2003-04-30 22:19 Axel Belinfante
  2003-04-30 22:27 ` rsc
  0 siblings, 1 reply; 2+ messages in thread
From: Axel Belinfante @ 2003-04-30 22:19 UTC (permalink / raw)
  To: 9fans

I got the following panic in a kernel I compiled at Feb 18 2003:

	panic: D2B called on non-block 8067a168 (double-free?)

It happened when I was using classical and (I think)
due to some clicking classicjuke probably puked and
committed suicide (at least, before the panic it had
 done so several times -- each time I just restarted it).

Below follows the result of runnning the src commands
generated from the trace by ktrace through acid.
When I tried with 'ktrace -i' it asked for (one) more
memory location than was present in the trace.

Axel.


cpu%  acid 9pcdisk
9pcdisk:386 plan 9 boot image

/sys/lib/acid/port
/sys/lib/acid/386
acid: src(0x8010675f); // dumpstack+0x10
/sys/src/9/pc/trap.c:509
 504		/* restore pc to instruction that caused the trap */
 505		ureg->pc--;
 506		sprint(buf, "sys: breakpoint");
 507		postnote(up, 1, buf, NDebug);
 508	}
>509
 510	static void
 511	fault386(Ureg* ureg, void*)
 512	{
 513		ulong addr;
 514		int read, user, n, insyscall;
acid: src(0x80139f07); // panic+0xeb
/sys/src/9/port/devcons.c:224
 219		spllo();
 220		prflush();
 221		putstrn(buf, n+1);
 222		dumpstack();
 223
>224		exit(1);
 225	}
 226
 227	void
 228	_assert(char *fmt)
 229	{
acid: src(0x8019e609); // ppanic+0xb4
/sys/src/9/port/alloc.c:88
 83		va_start(v, fmt);
 84		vseprint(pv->msg+strlen(pv->msg), pv->msg+sizeof pv->msg, fmt, v);
 85		va_end(v);
 86		memmove(msg, pv->msg, sizeof msg);
 87		iunlock(&pv->lk);
>88		panic("%s", msg);
 89	}
 90
 91	static void
 92	plock(Pool *p)
 93	{
acid: src(0x801c50b5); // D2B+0x32
/sys/src/libc/port/pool.c:943
 938	D2B(Pool *p, void *v)
 939	{
 940		Alloc *a;
 941		a = _D2B(v);
 942		if(a->magic != KEMPT_MAGIC)
>943			p->panic(p, "D2B called on non-block %p (double-free?)", v);
 944		return a;
 945	}
 946
 947	/* poolallocl: attempt to allocate block to hold dsize user bytes; assumes lock held */
 948	static void*
acid: src(0x801c54de); // poolfreel+0x20
/sys/src/libc/port/pool.c:1064
 1059		Bhdr *back, *fwd;
 1060
 1061		if(v == nil)	/* for ANSI */
 1062			return;
 1063
>1064		ab = D2B(p, v);
 1065		blockcheck(p, ab);
 1066
 1067		if(p->flags&POOL_NOREUSE){
 1068			int n;
 1069
acid: src(0x801c58d3); // poolfree+0x41
/sys/src/libc/port/pool.c:1174
 1169			poolcheckl(p);
 1170		}
 1171		verbosity {
 1172			pooldumpl(p);
 1173		}
>1174		poolfreel(p, v);
 1175		paranoia {
 1176			poolcheckl(p);
 1177		}
 1178		verbosity {
 1179			pooldumpl(p);
acid: src(0x8019e8fb); // free+0x23
/sys/src/9/port/alloc.c:223
 218
 219	void
 220	free(void *v)
 221	{
 222		if(v != nil)
>223			poolfree(mainmem, (ulong*)v-Npadlong);
 224	}
 225
 226	void*
 227	realloc(void *v, ulong size)
 228	{
acid: src(0x801a63ff); // mountfree+0x37
/sys/src/9/port/pgrp.c:248
 243		while(m) {
 244			f = m->next;
 245			cclose(m->to);
 246			m->mountid = 0;
 247			free(m->spec);
>248			free(m);
 249			m = f;
 250		}
 251	}
 252
 253	void
acid: src(0x801a5f93); // closepgrp+0x95
/sys/src/9/port/pgrp.c:87
 82		e = &p->mnthash[MNTHASH];
 83		for(h = p->mnthash; h < e; h++) {
 84			for(f = *h; f; f = next) {
 85				wlock(&f->lock);
 86				cclose(f->from);
>87				mountfree(f->mount);
 88				f->mount = nil;
 89				next = f->hash;
 90				wunlock(&f->lock);
 91				putmhead(f);
 92			}
acid: src(0x801a8156); // pexit+0x136
/sys/src/9/port/proc.c:806
 801			p->rendval = ~0;
 802			l = &REND(p->rgrp, p->rendtag);
 803			for(d = *l; d; d = d->rendhash) {
 804				if(d == p) {
 805					*l = p->rendhash;
>806					break;
 807				}
 808				l = &d->rendhash;
 809			}
 810			ready(p);
 811		}
acid: src(0x801b1e0a); // sysexits+0x7f
/sys/src/9/port/sysproc.c:582
 577			poperror();
 578
 579		}
 580		pexit(status, 1);
 581		return 0;		/* not reached */
>582	}
 583
 584	long
 585	sys_wait(ulong *arg)
 586	{
 587		int pid;
acid: src(0x80106ade); // syscall+0x16c
/sys/src/9/pc/trap.c:604
 599		if(up->nerrlab){
 600			print("bad errstack [%uld]: %d extra\n", scallnr, up->nerrlab);
 601			for(i = 0; i < NERR; i++)
 602				print("sp=%lux pc=%lux\n",
 603					up->errlab[i].sp, up->errlab[i].pc);
>604			panic("error stack");
 605		}
 606
 607		up->insyscall = 0;
 608		up->psstate = 0;
 609
acid: src(0x80100982); // _syscallintr+0x18
/sys/src/9/pc/plan9l.s:45
 40		MOVW	AX, DS
 41		MOVW	AX, ES
 42		PUSHL	SP
 43		CALL	syscall(SB)
 44
>45		POPL	AX
 46		POPAL
 47		POPL	GS
 48		POPL	FS
 49		POPL	ES
 50		POPL	DS
acid:


^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: [9fans] panic: D2B called on non-block 8067a168 (double-free?)
  2003-04-30 22:19 [9fans] panic: D2B called on non-block 8067a168 (double-free?) Axel Belinfante
@ 2003-04-30 22:27 ` rsc
  0 siblings, 0 replies; 2+ messages in thread
From: rsc @ 2003-04-30 22:27 UTC (permalink / raw)
  To: 9fans

That's discouraging.  Let us know if it happens again.
It looks like there's a ref count bug on some hardly
ever used path.



^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2003-04-30 22:27 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-04-30 22:19 [9fans] panic: D2B called on non-block 8067a168 (double-free?) Axel Belinfante
2003-04-30 22:27 ` rsc

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).